When the Trojan is executed, it may create the following files:
%ProgramFiles%\[FOLDER NAME ONE]\[FOLDER NAME TWO]\acroiehelper.exe
%ProgramFiles%\[FOLDER NAME ONE]\[FOLDER NAME TWO]\groovemonitor.exe
%ProgramFiles%\[FOLDER NAME ONE]\[FOLDER NAME TWO]\issch.exe
%ProgramFiles%\[FOLDER NAME ONE]\[FOLDER NAME TWO]\jqs.exe
%ProgramFiles%\[FOLDER NAME ONE]\[FOLDER NAME TWO]\smagent.exe
The variable [FOLDER NAME ONE] may be one of the following:

The variable [FOLDER NAME TWO] may be one of the following:
Bin
Helper
Installer
Uninstall
Update

Next, the Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM GUID]" = "[FILE NAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM GUID]" = "[FILE NAME]"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM GUID]" = "[FILE NAME]"
The Trojan then creates the following registry entry:
HKEY_CURRENT_USER\Software\Stability Software\"Uniq" = "[RANDOM GUID]"
Next, the Trojan may collect the following information from the compromised computer:
Architecture type
Computer name
File name of the threat
IP address
Operating system version
Operating system service pack version, if installed
Running processes

The Trojan may then send the stolen information to the following remote locations:
anatwriteromist.com
bbcnews192.com
belsaw920.com
benhomelandefit.com
midfielderguin.com
prominentpirsa.com
sovereutilizeignty.com
yolanda911.com

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.